urelas | 74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9

Analysis

max time kernel
151s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
25/03/2024, 19:36

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe
Size

485KB
MD5

9381517a4c24d290f5f2fa3d1f447cb0
SHA1

a8f37f77012f18bf6e672ce7995cf5111f429e85
SHA256

74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9
SHA512

f6beeaffb7f7254bafc0cae15f9f2175ae1eff3ed333ecc0b178a9d29907d901f2fe41b58f615433b13da92bffc6c40e82ba7e70f6e4f51423fef221d1440396
SSDEEP

12288:2pbvglu0agWSFnxAEwKyLH8l+O9H6s2si2XfxKTbc1:2pbXi5xzFUBaazsiofx8u

Score

10^/10

urelas trojan

Malware Config

Extracted

Family

urelas

1.234.83.146

133.242.129.155

218.54.31.226

218.54.31.165

Signatures

Urelas
Urelas is a trojan targeting card games.
trojan urelas

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	evxui.exe

Executes dropped EXE 2 IoCs

pid	Process
5016	evxui.exe
2724	zuzit.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe
2724	zuzit.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 1448 wrote to memory of 5016	1448	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe	98
PID 1448 wrote to memory of 5016	1448	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe	98
PID 1448 wrote to memory of 5016	1448	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe	98
PID 1448 wrote to memory of 1480	1448	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe	99
PID 1448 wrote to memory of 1480	1448	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe	99
PID 1448 wrote to memory of 1480	1448	74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe	99
PID 5016 wrote to memory of 2724	5016	evxui.exe	116
PID 5016 wrote to memory of 2724	5016	evxui.exe	116
PID 5016 wrote to memory of 2724	5016	evxui.exe	116

C:\Users\Admin\AppData\Local\Temp\74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe
"C:\Users\Admin\AppData\Local\Temp\74bd986ac84884be3dc537835d5c726f3aa74400ca6f2024df6fceb272b9dae9.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:1448
- C:\Users\Admin\AppData\Local\Temp\evxui.exe
  "C:\Users\Admin\AppData\Local\Temp\evxui.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:5016
- - C:\Users\Admin\AppData\Local\Temp\zuzit.exe
    "C:\Users\Admin\AppData\Local\Temp\zuzit.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:2724
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\_uinsey.bat" "
  2⤵
  PID:1480

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4104 --field-trial-handle=2280,i,716736634476467098,11449718822158202904,262144 --variations-seed-version /prefetch:8
1⤵
PID:2728

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_uinsey.bat

Filesize
340B

MD5
9bfb4762aab306ffe80a4727bf157b4c

SHA1
887fc986a32712e363bd9b58244caeaff0b27d7d

SHA256
c544fd8c052449a6ea87272741f5af985fef9dfce85b799c1e94b1aa8beef86b

SHA512
440903c55f727a1fac7ecac6a87f8bec8b520f2a6f5643b8015976f9c6027ebdcd903c944b06094b32ad5a083dda91a60a8208f1317cdf79705de9813f40bd12

Download Submit
C:\Users\Admin\AppData\Local\Temp\evxui.exe

Filesize
485KB

MD5
76da773e5e1f8f9ef012a573a4efe795

SHA1
fd5b28e77b05096b96b439b3515734869cc194fd

SHA256
c237fff02540c4e75d1b1006a0ef17fb084af486e696dbc9217cc97b2e193d0b

SHA512
655a87cfa2c0f2a5127978210e31ad533e5cf7bf6b164be1f8128cb7efee41c70495ca60bc6f7a5dc5a6abcd873feb0fa0cbe589c0bb2d4e987159a0177ccc6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\golfinfo.ini

Filesize
512B

MD5
b3c6c7541ae1bda701faaf6bccf6bcb2

SHA1
a6a637fcd2dd9423347f4e84397cb6f1abd41ecf

SHA256
919653ba6b2c76cffacaea0ae3cf17b335ffe6e2e4ba8e2ee1472112922c9c0d

SHA512
c247cef4bed7bd483dc8f31b0d6b4576790d251403c3958d94564cb6017666e4ddaeef87aa6b456cb2cb13dafbe20fe11b69f3842d40619d7ad86403942abeb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\zuzit.exe

Filesize
217KB

MD5
ef95bfbc416d3a028c44a5167850be1f

SHA1
0939253670cc56dc3c51a46a887869ff6326eeb4

SHA256
0fb1c8e002de699193da7e88eb70d841c0a6697754651b4879264bd351b699de

SHA512
4931092485add0322d01f58d2613e68d64bbcda28a1876e74a45e73bb4c7090707afc0e8809cc26256d618adeaa1cf95eea2d879a631f2a9089695fe4ae50ff3

Download Submit
memory/1448-14-0x0000000000B40000-0x0000000000BC8000-memory.dmp

Filesize
544KB

Download
memory/1448-0-0x0000000000B40000-0x0000000000BC8000-memory.dmp

Filesize
544KB

Download
memory/2724-26-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/2724-27-0x0000000000C90000-0x0000000000D44000-memory.dmp

Filesize
720KB

Download
memory/2724-29-0x0000000000C90000-0x0000000000D44000-memory.dmp

Filesize
720KB

Download
memory/2724-30-0x0000000000C90000-0x0000000000D44000-memory.dmp

Filesize
720KB

Download
memory/2724-31-0x0000000000C10000-0x0000000000C12000-memory.dmp

Filesize
8KB

Download
memory/2724-32-0x0000000000C90000-0x0000000000D44000-memory.dmp

Filesize
720KB

Download
memory/2724-33-0x0000000000C90000-0x0000000000D44000-memory.dmp

Filesize
720KB

Download
memory/5016-11-0x00000000003B0000-0x0000000000438000-memory.dmp

Filesize
544KB

Download
memory/5016-25-0x00000000003B0000-0x0000000000438000-memory.dmp

Filesize
544KB

Download